IRS warns about CEO and W-2 fraud

The US Internal Revenue Service (IRS) has warned individuals and organizations about a dangerous new form of phishing scam that combines two well-known attack types:

CEO fraud – a type of phishing attack in which criminals spoof the email account of a person in a key position, usually the CEO or a top manager, and send emails to a member of staff, usually in finance, demanding them to wire funds.

W-2 phishing – similar to CEO fraud, with the only difference being that the request is to forward employee tax forms.

All organizations are possible targets, including school districts, health care organizations, restaurant chains, temporary staffing agencies and nonprofits. The FBI’s Internet Crime Complaint Center (IC3) has estimated that about 7,000 organizations have fallen for CEO fraud and lost more than $740m in the last two years.

How W-2 phishing works

Once criminals get their hands on W-2 data, they file fraudulent refund requests on behalf of taxpayers, who only discover the fraud when their tax returns are rejected. Even those who are not required to file a return and those who are not due a refund can be victims of refund fraud.

How to protect your staff from phishing frauds

No matter how effective your spam filter is, there is still a chance that a spoofed email can bypass your filter, making your staff the last line of defense between your organization and fraud. It is therefore vital that your staff are aware of the risks of phishing emails. And with eLearning courses, training the whole staff doesn’t even have to be costly or time-consuming.